pwsafe
webauthn-recovery-extension
pwsafe | webauthn-recovery-extension | |
---|---|---|
26 | 9 | |
681 | 56 | |
2.1% | - | |
9.8 | 4.1 | |
2 days ago | 6 months ago | |
C++ | Python | |
GNU General Public License v3.0 or later | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
pwsafe
-
How do you sync your passwords?
Maybe I'm old school, but I don't want a local appliance of sorts or external app host to my passwords. I use https://pwsafe.org/ install the app on whatever device I want. Keep the database file in G Drive so it will always sync or can manually download if needed without installing G Drive. The latter I've not had to do though.
-
Is there an online password manager that also works offline
It's an Android port of http://pwsafe.org. PwSafe works on iOS, MacOS, Windows and Linux.
-
Password management after death
I'd put them all in a disk-on-key install of Password Safe (https://pwsafe.org).
- Hey guys, in light of the recent last pass breach, I'm curious about your thoughts on using password managers without inputting the site's URL or name. Do you think this provides an extra layer of safety? Let's discuss!
-
Password manager
passwordsafe https://pwsafe.org/
- [NOOB HERE] How do CSOs keep the admin passwords in organizations?
-
My husband put an air tag in my vehicle. The count is up to 3 air tags now.
My father literally writes cryptography protocols. He's the guy with unique, 32 character alpha-numeric passwords for everything, to the point he has to look them up any time a service updates and loses the login information. He uses a password safe. Literally, it's called Password Safe. It's open-source, looks like it was written in 1995, and perfect. Just don't forget the password to the safe, because you're not hacking your way in.
- Best free offline password manager
-
How do you folks make it so you remember all the passwords to all the systems and services you run?
Personally I use PasswordSafe4 and I backup my password files on my phone and I email myself the file every so often.
-
LastPass Shouldn't Be Trusted With Your Passwords
For local storage, password safe (https://pwsafe.org/) is good and was designed by Bruce Schneier.
webauthn-recovery-extension
-
A Yubico FAQ about passkeys
> I have to admit I don’t really see the point of making this be part of a secure token. The “username” store (actual username, tuple of (username, FIDO blob) or whatever) doesn’t seem terribly sensitive from a local attack perspective, but it is fairly sensitive from a privacy perspective. Wouldn’t it work better to have this be stored by a browser, per container, etc?
An agent that registers non-discoverable credentials as discoverable ones via local storage is an option, although not one that browsers have yet chosen to support.
This however locks you onto a browser (if it doesn't have a cloud sync fabric) or into a particular ecosystem (if that browser has a sync fabric). Authenticators support discoverability because a limitation of only being able to authenticate in a single browser is significant.
Since authenticators tend to either support both discoverability and user verification, or neither discoverability nor user verification, I suspect there won't be business drivers to support such user agent storage/functionality.
Note that the CredProtect extension protects discoverability of a resident credential without user verification, and Chrome requests this extension on sites' behalf by default. This protects against scenarios where a third party who gets physical access to your authenticator (thief, partner, law enforcement, border control) can introspect the websites you have accounts at without your participation.
> Also, how is enrollment of an attested-but-not-present token or a multisig group of tokens or anything that enables off site storage of a token not part of the spec? It even seems like a company like Yubico could hack up a pair of tokens that separate enrollment and authentication without a spec change. Of course, discoverable credentials are a bit of a step backwards in this regard.
There was a serious proposal: https://github.com/Yubico/webauthn-recovery-extension
The challenge is that support for such things (new multisig algorithms, this recovery extension) require active relying party participation, and many would just choose not to take on the extra effort.
So instead we have multi-device credentials, where there is a sync fabric behind the scenes. Nothing would preclude hardware credentials from participating in such a thing, although they would obviously need either radios or software assistance to do so.
To capture the change in physical hardware, a new extension (devicePubKey) is being proposed under Web Authentication. This would have the benefit over the previous recoverability proposal in that sites opt-in to extra responsibility as needed for their business logic, compared to usability being restricted unless sites do extra work.
-
[Off-topic] Questions about Android as a security key.
Yubico is working on this with their Webauthn Recovery Draft
- iOS 16 Available September 12th
- Database Encryption
- Asynchronous delegated key generation without shared secrets
-
Yubikey backup
I think OP might be referring to the proposed recovery extension for WebAuthn, which is not the same thing as extracting secrets or replicating a YubiKey.
What are some alternatives?
KeePass2.x - unofficial mirror of KeePass2.x source code
keepassxc - KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
opentrack - Head tracking software for MS Windows, Linux, and Apple OSX
caniuse - Raw browser/feature support data from caniuse.com
PythonPassKeep - PassKeep Clone written in Python. AES Encrypted SQLite tkinter UI
DOMtegrity - JavaScript Framework to ensure webpage DOM integrity in presence of a malicious browser extension.
Padloc - A modern, open source password manager for individuals and teams.
mobile - The mobile app vault (iOS and Android).
password-manager-comparer - JavaScript code for rendering a head-to-head comparison of password managers
Aegis - A free, secure and open source app for Android to manage your 2-step verification tokens.
clients - Bitwarden client applications (web, browser extension, desktop, and cli)
Android-Password-S